Monthly Archives: February 2013

There could of course be plenty of reasons you’re experiencing this behaviour but I’ll zoom in on two which I’ve noticed are particularly prevalent with Windows 7 and which may not be immediately obvious.

Server Message Block Signing

The first time I saw this behaviour, it was after I’d introduced a hardened-build policy (yes the very same Win7-EC-Desktop baseline policy I refer to in an earlier post). The problem is to do with the Server Message Block Signing policy. There are two fixes – either update the servers holding your DFS shares to acknowledge the policy so Windows 7 can talk to them securely or simply disable the policy on the Windows 7 clients. The first is preferable, the second solution is easier, your choice.

Change group policy to reflect the settings in the image and you should be fine. Obviously this is the easier, second option!

Token Size

Assuming this has been ruled out, the second, possibly less obvious reason for failure to connect to DFS shares is user token size. For those unfamiliar with token size, it basically relates to the size of the security ‘token’ you are issued with when you log onto a computer in a domain. This token is responsible for security assessment throughout your logon session. As more groups are added to your user account the token size increases. If you were to add a group that has another hundred groups nested in it, then your token size will increase accordingly!

Although this was a problem with Windows XP, it was generally more forgiving than in Windows 7/8 and for this reason you are more likely to notice the problem if you have recently upgraded. To confirm the issue, you are likely to see a message in the ‘system’ log in event viewer like the one below:

Again there are two choices you can make here. Firstly, you can increase the token size available for domain accounts in group policy. This, in my opinion, is the sensible way to fix the issue if you aren’t able to do much about the group sizes. The second, easier option is to remove groups you can do without until the token size is back to a respectable level. If this proves to be a slightly easier choice for you then you might require multiple accounts, eg one with admin groups to do privileged operations and another which lets you do day to day stuff. You can always use the run as… feature to save you logging off/on all the time.